Tag: VPN

Play is a new ransomware that takes a page out of Hive and Nokoyawa’s playbook. The many similarities among them indicate that Play, like Nokoyawa, are operated by the same people.

In July, we investigated a spate of ransomware cases in the Latin American region that targeted government entitles, which was initially attributed to a new player known as Play ransomware.…

Read More

Following the recent Twilio hack leading to the leakage of 2FA (OTP) codes, cybercriminals continue to upgrade their attack arsenal to orchestrate advanced phishing campaigns targeting users worldwide. Resecurity has recently identified a new Phishing-as-a-Service (PhaaS) called EvilProxy advertised in the Dark Web. On some sources the alternative name is Moloch, which has some connection to a phishing-kit developed by several notable underground actors who targeted the financial institutions and e-commerce sector before.…

Read More

Earlier this year, [redacted] encountered a relatively new ransomware threat actor that called themselves BianLian. We observed the actor deploying custom malware that was written in the Go programming language, which posed some initial, but not insurmountable, reverse-engineering challenges. 

BianLian used subtle techniques to exploit, enumerate, and move laterally in victim networks to remain undetected and aggressively worked to counter Endpoint Detection & Response (EDR) protections during the encryption phase of their operations.…

Read More

Stealing information is fundamental to cybercriminals today to scope and gain access to systems, profile organizations, and execute bigger payday schemes like ransomware. Information stealer malware families including Prynt Stealer are often configured through a builder to facilitate the process for less sophisticated threat actors. However, Zscaler ThreatLabz researchers have uncovered the Prynt Stealer builder, also attributed with WorldWind, and DarkEye, has a secret backdoor in the code that ends up in every derivative copy and variant of these malware families.…

Read More

Mitiga spotted a sophisticated, advanced business email compromise (BEC) campaign, directly targeting relevant executives of organizations (mostly CEOs and CFOs) usingOffice 365. The attackers combine high-end spear-phishing with an adversary-in-the-middle (AiTM) attack to circumvent multi-factor authentication (MFA) and a Microsoft 365 design flaw that allows them to create access persistency with MFA.…

Read More

Key points

The Black Hat network is more unique and complex than a standard enterprise network due to the number and diversity of devices connected, the abundance of trainings and labs that occur, and the rapid nature of the engagement itself. Over the course of the conference, our IronDefense NDR solution generated 31 malicious alerts and 45 suspicious alerts, detecting both real malware activity and simulated attack tactics from classes and demos.…
Read More

IP;C&C domains

45[.]76[.]80[.]199;twiiio-sso[.]com, box-okta[.]org, kucoin-pin[.]com, boxokta[.]com, kucoin-sso[.]com 66[.]42[.]107[.]233;slack-mailchimp[.]com 45[.]32[.]66[.]165;microsoft-sso[.]net, sendgrid-okta[.]org, mlcrosoft[.]info, mlcrosoft[.]cloud 45[.]76[.]238[.]53;ouryahoo-okta[.]org, ouryahooinc-okta[.]com 155[.]138[.]240[.]251;sykes-sso[.]com, internai-customer[.]io, ouryahoo-okta[.]com, ouryahoo-okta[.]net, techmahindra-sso[.]com 149[.]28[.]37[.]137;qualfon-sso[.]com, twiiio[.]net, twiiio[.]org, teleperformanceusa-sso[.]com, tmo-sso[.]net, okta-sso[.]net 149[.]248[.]1[.]50;att-mfa[.]com, att-rsa[.]com 108[.]61[.]119[.]20;mcsupport-okta[.]com, mailgun-okta[.]com, sprint-idg[.]net 149[.]28[.]212[.]53;tmobie[.]net 140[.]82[.]63[.]209;kucoinpin[.]com, kucoinpin[.]net, twiiio-okta[.]net 144[.]202[.]82[.]47;kucoin-pin[.]net, kucoin-sso[.]net 45[.]63[.]39[.]116;telus-sso[.]com 149[.]248[.]62[.]54;rogers-rci[.]net, rogers-ssp[.]com, iqor-duo[.]net, iqor-portal[.]com, cgslnc-okta[.]com, conexusonline[.]com, klaviyo-sso[.]com 66[.]42[.]91[.]138;arise-okta[.]com 216[.]128[.]141[.]52;rogers-rci[.]com,…

Read More

A malicious campaign spreading the information stealer, AgentTesla, began circulating mid-August. The bad actors behind the campaign are going after information about victims’ computers and login credentials stored in browsers.

Phishing emails, sent from spoofed email addresses, with a malicious attachment are being sent to businesses across South America and Europe.…

Read More

Summary

Actions for ZCS administrators to take today to mitigate malicious cyber activity:

• Patch all systems and prioritize patching known exploited vulnerabilities.

• Deploy detection signatures and hunt for indicators of compromise (IOCs).

• If ZCS was compromised, remediate malicious activity.

Updated November 10, 2022: This product was written by the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC) with contributions by the Federal Bureau of Investigation (FBI).…

Read More
New stealer developing Crypto Miner capabilities

During a routine threat hunting exercise, Cyble Research Labs (CRL) came across a Twitter post wherein researchers mentioned a URL that hosts a Windows executable payload with the name systemupdate.exe. The researcher in the Twitter post claims this Windows executable is a variant of Typhon stealer malware delivered via a crafted .lnk…

Read More
Executive Summary: What is Redline Stealer?

RedLine is a stealer distributed as cracked games, applications, and services.

The malware steals information from web browsers, cryptocurrency wallets, and applications such as FileZilla, Discord, Steam, Telegram, and VPN clients. The binary also gathers data about the infected machine, such as the running processes, antivirus products, installed programs, the Windows product name, the processor architecture, etc.…

Read More
Table of Contents

In this blog, the Qualys Research Team explains the mechanics of a Linux malware variant named BPFdoor. We then demonstrate the efficacy of Qualys Custom Assessment and Remediation to detect it, and Qualys Multi-Vector EDR to protect against it.

BPFDoor is a Linux/Unix backdoor that allows threat actors to remotely connect to a Linux shell to gain complete access to a compromised device.…

Read More

Amadey Bot, a malware that was first discovered in 2018, is capable of stealing information and installing additional malware by receiving commands from the attacker. Like other malware strains, it has been sold in illegal forums and used by various attackers.

The ASEC analysis team previously revealed cases where Amadey was used on attacks in the ASEC blog posted in 2019 (English version unavailable).…

Read More

Summary

The Federal Bureau of Investigation (FBI), Cybersecurity and Infrastructure Security Agency (CISA), and the Department of the Treasury (Treasury) are releasing this joint Cybersecurity Advisory (CSA) to provide information on Maui ransomware, which has been used by North Korean state-sponsored cyber actors since at least May 2021 to target Healthcare and Public Health (HPH) Sector organizations.…

Read More

June 15, 2022

by Steven Adair, Thomas Lancaster, Volexity Threat Research

Volexity frequently works with individuals and organizations heavily targeted by sophisticated, motivated, and well-equipped threat actors from around the world. Some of these individuals or organizations are attacked infrequently or on an irregular basis, while others see a barrage of attacks nearly every week.…

Read More

In this report, we investigate the reasons that the DeadBolt ransomware family is more problematic for its victims than other ransomware families that previously targeted NAS devices.

By Stephen Hilt, Éireann Leverett, Fernando Mercês

The DeadBolt ransomware kicked off 2022 with a slew of attacks that targeted internet-facing Network-Attached Storage (NAS) devices.…

Read More